3.0 Personnel Security

  1. Recruitment
  2. Security Awareness and Training
  3. Personnel Security Control
  4. Identification of Personnel
  5. Separation of Duties

3.1 Recruitment

  1. Staff job descriptions should indicate the appropriate level of access to university information and university information systems. Such a level should be determined on a "need-to-know" basis in order for the staff member to execute job responsibilities.

  2. Prospective employees who may collect, access or otherwise use university data should be screened for knowledge of university information principles and demonstration of appropriate practice relating to university information issues, confidentiality and security. Reference checks and security clearances should be undertaken when appropriate.

  3. The university should confirm that professional staff are bound by a professional code of ethics/conduct.

  4. As a condition of employment, each employee should sign a witnessed and dated "Pledge of Confidentiality and Privacy" indicating that they have been made aware of the university's Security and Privacy Policy and the consequences of breaching the Security and Privacy Policy.

    Note: A sample Pledge of Confidentiality and Privacy Form is found in Annex 3.

  5. Before commencement of duties, the university should formally advise employees of:

    a) their authorised level of security access, and
    b) their responsibilities with respect to the security and privacy of university data.

3.2 Security Awareness and Training

  1. The university should provide orientation and training to all employees, professional staff, contract staff and volunteers concerning the university's policies and procedures for ensuring the privacy and security of university data. Orientation and training programs should include:

    a) security and privacy policy,
    b) security procedures,
    c) employee responsibilities,
    d) reporting security and privacy violations.

  2. A certificate of attendance at a security awareness or training program should be placed on the employee's personnel file.

  3. Security awareness and training programs should be provided to employees, professional staff, contract staff and volunteers on a periodic basis (eg. annually, bi-annually) to maintain awareness and provide information about new policies or procedures.

3.3 Personnel Security Control

  1. A record should be maintained and be readily available documenting:

    a) the issue and retrieval of security-related items such as keys, codes, combinations, badges and system passwords;

    b) the custody and use of all information system assets such as loan or issue of computer hardware (eg. laptop), computer software, and specialised equipment.

  2. If new duties or tasks require an individual's security and access level in their position to be:

    a) higher, then the university should make administrative arrangements to ensure access to that high level data occurs only after an appropriate screening process is successfully completed; or
    b) lower, the university should inform the individual of the new access requirements of the position or contract and reflect these changes in the employee's position description.

  3. On termination or transfer of employment, or when the employee's duties no longer require access to university data, the university should immediately:

    a) revoke access privileges (eg. user-ID's and passwords) to system and data resources, and secure areas,
    b) retrieve sensitive material including access control items (eg. keys and badges), and
    c) retrieve all hardware, software and documentation issued or loaned to the employee.

  4. The university should have corrective and disciplinary procedures in place to address any breach of security or privacy.

  5. Staff performance reviews should assess performance related to the handling of university data.

  6. In the case of contracted personnel and services, it should be a condition of the contract that such personnel be bound by all policies and procedures of the university concerning the security and privacy of university data, including the completion of the Pledge of Confidentiality and Privacy form noted in 3.1.4.

  7. Volunteers, student and staff, and professional staff should be bound by all policies and procedures relating to the security and privacy of university data.

3.4 Identification of Personnel

  1. Authorised identification and computer access codes, consistent with appropriate level of access to university data, should be issued to all individuals employed either directly or under contract by the university.

  2. Identification cards or access badges should be issued to all authorised personnel. The cards or badges should be tamper-resistant and contain, as a minimum:

    a) name of card holder,
    b) facial-view photograph of card holder,
    c) signature of card holder,
    d) signature of issuing authority,
    e) expiry date,
    f) badge or card control serial number.

    The card or badge should:

    a) be visually and uniquely associated with a given secure area, and
    b) visually indicate the type of access privileges granted the bearer (eg. escort required, unrestricted access),

    The card or badge should bear no identification of the organisation or facility in which it is used.

  3. A temporary identification card or access badge should be issued to any individual allowed access to secure areas of the university's facility.

  4. Standard Operating Procedures should be established for the regular review and update of identification cards or access badges. These procedures should cover:

    a) verification and withdrawal for cause,
    b) replacement when supported by a threat and risk assessment;
    c) replacement due to damage,
    d) reporting and replacement due to loss or theft,
    e) recovery of expired cards,
    f) recovery of cards when employment is terminated or when an employee is transferred and requires a change in access privileges, and
    f) significant facial changes.

  5. Only one identification card or access badge should be issued to each person.

  6. The university should control and secure blank identification card and access badge stock by documenting their issue and retrieval, and storing them in an secure container or safe.

3.5 Separation of Duties

  1. The university should ensure that organisation structures and job descriptions are designed to ensure an appropriate separation of duties.

    Examples:
    University service staff should be prohibited from making changes to computer programs without authorisation.

    Systems personnel should not make, or be responsible for, input additions or error corrections.

Contents
Background: [1] [2] [3] _Section: [1] [2] [3] [4] [5] [6] [7] [8] [9] _Annex: [1] [2] [3] [4] [Index]
Guidelines for Computer Security at CQU, A C Lynn Zelmer, PhD; Editor/Adaptor
Copyright © 1996 CQU Computer Security Committee

Central Queensland University Home Page